TL;DR

CISA’s Known Exploited Vulnerabilities (KEV) catalogue added another batch of flaws this week, which means attackers are already using them in real-world attacks, not just in lab demos. For Australian SMBs, the urgent priorities are internet-facing infrastructure, remote admin tools, print management, email platforms, and endpoint security software, with the practical patch deadline being now and no later than 27 April 2026 if you are following the same timetable CISA set for federal agencies.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why this week’s KEV update matters to SMBs

The CISA KEV catalogue is one of the few vulnerability lists that cuts through the noise. If a CVE lands there, exploitation has already been observed in the wild. That matters for a 10-50 person business because most smaller teams do not have time to patch everything, but they do need to patch the things attackers are actively abusing.

This week’s KEV additions hit products that many mid-market and channel-heavy businesses actually run: Cisco SD-WAN infrastructure, Microsoft Defender, JetBrains TeamCity, Quest KACE, Zimbra Collaboration Suite, Kentico Xperience and PaperCut NG/MF. Even if you do not use every product on the list, the pattern is familiar: remote management, admin APIs, mail systems and business workflow tools are st

ill prime entry points for ransomware and follow-on compromise.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

For Australian SMB owners, the plain-English rule is simple: if the system helps staff log in, manage devices, print documents, run websites or move email, it is a business risk, not just an IT problem.

The most important KEV additions and what they mean in plain English

1. Cisco Catalyst SD-WAN Manager: three actively exploited flaws

CISA highlighted three Cisco SD-WAN bugs now being exploited in the wild:

  • CVE-2026-20122
  • CVE-2026-20128
  • CVE-2026-20133

Affected vendor: Cisco
Exploitation status: In the wild
Practical deadline: Patch immediately; use 27 April 2026 as the outside deadline from the current KEV cycle

In plain English, these flaws can let a low-privilege user read sensitive data, recover credentials, or overwrite files inside Cisco’s SD-WAN management environment. For an SMB with branch offices, managed networking, or a security provider using Cisco on its behalf, that can become a stepping stone to wider network access.

Why it matters: if your internet edge or WAN management plane is exposed, attackers may not need phishing at all. They can go straight for the system that connects your offices and cloud apps.

2. Microsoft Defender CVE-2026-33825: security software became part of the attack surface

CVE-2026-33825, nicknamed “BlueHammer”, affects Microsoft Defender.

Affected vendor: Microsoft
Exploitation status: In the wild, with proof-of-concept details also publicly discussed
Practical deadline: Patch immediately; if unmanaged endpoints still have the vulnerable build after 27 April 2026, assume elevated risk

This is a local privilege escalation flaw. In plain English, it means an attacker who already has a foothold on a Windows machine can use Defender’s own remediation logic to gain more control. That is especially dangerous for SMBs because it turns a minor compromise, such as a stolen user account or malware dropper, into an admin-level incident.

If your business relies on Microsoft 365 and Windows endpoints, this one matters even if the initial entry point was email, Teams, or a browser download. Defender is meant to contain damage; this bug can help expand it.

The SMB software stack risks hiding behind the headlines

3. JetBrains TeamCity and Quest KACE: tools admins forget, attackers do not

Recent KEV additions also include flaws affecting JetBrains TeamCity and Quest KACE Systems Management Appliance.

Affected vendors: JetBrains, Quest
Exploitation status: In the wild
Practical deadline: Patch or isolate immediately; do not leave exposed over a weekend

These are classic “quietly critical” systems. TeamCity can touch source code, credentials and deployment pipelines. KACE can manage endpoints and software across a whole estate. In plain English, if attackers compromise either tool, they can often move from one box to many.

For SMBs, this is common in IT consultancies, software shops, engineering firms and managed environments where a single admin console controls multiple client or staff devices.

4. Zimbra, Kentico and PaperCut: business apps that can turn into breach paths

This week’s KEV activity also covered Zimbra Collaboration Suite, Kentico Xperience and PaperCut NG/MF.

Affected vendors: Zimbra, Kentico, PaperCut
Exploitation status: In the wild
Practical deadline: Patch now; where no rapid patch path exists, restrict access and review logs today

These platforms are highly relevant to SMBs:

  • Zimbra handles business email and collaboration
  • Kentico powers websites and customer-facing content
  • PaperCut runs printing, scanning and document workflows in schools, clinics, legal offices and general business environments

In plain English, these bugs matter because they sit close to users and business data. A vulnerable mail platform can lead to account takeover. A vulnerable CMS can become a web shell. A vulnerable print server can become an internal launch point for lateral movement.

What about Microsoft 365, Google Workspace, NGINX, Fortinet, Ivanti, VMware and WordPress?

Not every SMB-familiar platform received a fresh KEV addition in the material reviewed this week, but that does not lower the risk. Fortinet and Microsoft products continue to appear regularly in KEV-driven patching discussions, and WordPress remains a live concern because actively exploited plugin bugs can be weaponised faster than many owners realise.

The practical recommendation is:

  • Microsoft 365 shops: patch Windows and Defender first, then review identity protections
  • Google Workspace shops: focus on third-party admin tools, browsers and endpoint agents
  • NGINX, VMware, Fortinet and Ivanti operators: review vendor advisories weekly even if this week’s KEV batch did not centre on your stack
  • WordPress sites: update core, plugins and themes, especially performance and caching plugins with file-upload or remote-fetch features

FAQ

It is CISA’s list of vulnerabilities known to be actively exploited in the wild. It is more actionable than a generic CVE feed because it filters for real-world attacker activity.

Yes. Attackers do not care whether the victim is in Washington or Wollongong. If a flaw is being exploited against one target set, Australian SMBs running the same software are exposed too.

Compensate fast: restrict internet exposure, disable vulnerable services where possible, enforce MFA, rotate privileged credentials and monitor logs for suspicious admin activity. Then patch at the earliest maintenance window, not next month’s cycle.

Weekly at minimum. For internet-facing systems, MSP-managed estates and businesses in legal, healthcare, finance or professional services, daily monitoring is better.

Conclusion

This week’s KEV additions reinforce an old lesson: attackers still win through known flaws in important business systems. If you run Cisco networking, Microsoft Defender, TeamCity, KACE, Zimbra, Kentico or PaperCut, treat these CVEs as immediate business risks and not routine maintenance.

Patch what is internet-facing first, then patch what can manage users, devices or data, and use 27 April 2026 as the hard line for this week’s urgent fixes. Visit consult.lil.business for a free cybersecurity assessment.

References

  1. CISA Known Exploited Vulnerabilities Catalog
  2. Cisco Security Advisories
  3. Microsoft Security Response Center Guidance
  4. JetBrains Security Bulletin
  5. Quest KACE Systems Management Appliance Security Advisories

TL;DR

  • A security bug called CVE-2026-3888 affects Ubuntu computers
  • It lets regular users become the boss (root user) and take full control
  • Fix it today: Update your Ubuntu computers to get the security patch
  • The bug is like a janitor who accidentally gives the office keys to everyone

What's Going On?

Imagine you work in an office where the janitor has a routine:

  1. Every 30 days, the janitor cleans out a storage room
  2. The janitor throws away old stuff and empties the room
  3. Later, the boss refills the room with important documents
  4. The janitor locks the room and only the boss has the key

Now imagine someone figured out the janitor's schedule. Right after the janitor empties the room but before the boss refills it, that person sneaks in and puts their own fake documents in the room.

When the boss comes back, they assume everything in the room is legitimate — because it's in the locked room. They use those fake documents without checking.

That's exactly what CVE-2026-3888 does.

How the Bug Works

Ubuntu computers use a system called Snaps — a way to package applications (like software you install) [1]. These Snaps live in special folders that get cleaned up periodically by a janitor service called systemd-tmpfiles [2].

Here's what happens:

Normal behavior:

  1. Snap applications use a special folder called /tmp/.snap
  2. Every 10-30 days, the janitor service cleans up old files in this folder
  3. Snap applications recreate the folder with fresh files
  4. Everything works fine

The exploit:

  1. Attacker waits for the janitor to clean the folder
  2. Right after cleanup, the attacker recreates the folder first
  3. Instead of good files, they put bad files in there
  4. When Snap applications start, they trust the bad files because they're in the right place
  5. The bad files run with boss privileges (root) — giving the attacker full control [3]

Why this works: The Snap system assumes the folder is safe because it's supposed to be in a secure location. But it doesn't check who put the files there after the janitor cleaned up.

Why Should Your Business Care?

You might think: "But the attacker already needs access to the computer. Isn't that bad enough?"

Here's why this matters:

Initial access is easy: Attackers get in through:

  • Phishing emails that steal passwords
  • Weak passwords on employee accounts
  • Other security vulnerabilities
  • Physical access (like leaving a laptop unlocked)

This bug makes it worse: Once they're in, they can:

  • Become the boss (root user) and do anything
  • Install spyware to steal passwords and data
  • Delete files or hold your business hostage for ransom
  • Hide their tracks so you never know they were there

Think of it like this: An attacker picks the lock on your back door (gets in with a regular account). Then they find the master key hanging on the wall (uses CVE-2026-3888 to become root). Now they can go anywhere and do anything [4].

Which Computers Are Affected?

CVE-2026-3888 affects Ubuntu Desktop computers running:

  • Ubuntu 24.04 and newer
  • Computers with Snap packages installed
  • Systems that haven't updated recently [5]

Check if you're affected:

Open a terminal and type:

snap version

If you see snapd version 2.72 or older, you need to update [6].

Good news: Ubuntu laptops and desktops used by many small businesses run Ubuntu. If you use Ubuntu for your business computers, you need to check this.

The Simple Fix: Update Your System

Step 1: Check Your Version

Open a terminal and run:

snap version

Look at the snapd version number. If it's older than 2.73, you're vulnerable [7].

Step 2: Update Ubuntu

Run these commands to update everything:

sudo apt update
sudo apt upgrade -y

This downloads and installs the security patch [8].

Step 3: Restart Your Computer

After the update finishes, restart:

sudo reboot

This makes sure all the new security fixes are running properly [9].

Step 4: Verify the Fix

After restarting, check the version again:

snap version

You should now see snapd version 2.73 or newer. That means you're protected [10].

What If You're Not Technical?

That's completely okay! Here's what to tell your IT person or computer support:

"There's a security vulnerability called CVE-2026-3888 affecting Ubuntu systems. I need to update snapd to version 2.73 or newer. Can you help me patch all our Ubuntu computers?"

Or better yet, have a cybersecurity professional handle it for you. They can:

  • Check all your computers for vulnerabilities
  • Test patches before applying them (so nothing breaks)
  • Update everything safely
  • Make sure your systems stay secure going forward

Related: Why Your IT Guy Isn't Enough: The Case for Dedicated Cybersecurity

The Big Lesson: Timing Matters in Security

CVE-2026-3888 is called a race condition vulnerability — it's all about timing [11].

Think of it like this:

  • The janitor cleans the room
  • There's a gap before the boss refills it
  • Attackers exploit that gap

In computer security, these "gaps" happen when different parts of a system don't coordinate perfectly. The janitor service cleans files. The Snap system uses files. But they don't check in with each other to make sure everything is safe.

This is why regular updates matter: Security researchers find these gaps, and software companies fix them. But the fixes only work if you install them.

How to Protect Your Business Going Forward

1. Keep Systems Updated

Set up automatic updates or check for updates regularly. Security patches are like vaccinations — they protect you from known threats [12].

2. Limit User Access

Not everyone needs boss-level access. Give employees the minimum access they need to do their jobs. If an attacker gets a regular user account, they can't do as much damage [13].

3. Monitor for Suspicious Activity

Watch for:

  • New user accounts you don't recognize
  • Programs running that you didn't install
  • Strange network activity or data leaving your network

4. Have a Security Partner

Small businesses often don't have a full-time security person. That's okay — you can work with a cybersecurity company like lilMONSTER to:

  • Monitor your systems for vulnerabilities
  • Apply security patches promptly
  • Respond to incidents if something goes wrong

FAQ

No. This bug requires someone to already have access to your computer (like a user account). But attackers often get in through phishing emails or weak passwords, then use bugs like this to take full control.

Yes. Restarting ensures all the new security fixes are properly loaded and running. It's a small inconvenience for much better protection.

This specific bug only affects Ubuntu. If you use Windows, macOS, or other Linux versions, you're not vulnerable to CVE-2026-3888. But all systems have vulnerabilities — keep everything updated regardless.

Signs include new programs you didn't install, files that mysteriously changed or disappeared, slow computer performance, or unusual network activity. If you suspect something's wrong, get professional help immediately.

All complex software has bugs — even Windows, macOS, and iPhone software have vulnerabilities. The key is updating promptly when fixes are available. Ubuntu has a good security team that releases patches quickly.

References

[1] Snapcraft, "What Are Snaps?" Canonical, 2026. [Online]. Available: https://snapcraft.io/docs/snaps-intro

[2] systemd, "systemd-tmpfiles Documentation," Linux Foundation, 2026. [Online]. Available: https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html

[3] The Hacker News, "Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html

[4] Qualys, "Privilege Escalation Explained," Qualys Security Blog, 2026. [Online]. Available: https://blog.qualys.com/vulnerabilities-threat-research/

[5] Ubuntu Security Notice, "USN-XXXX-XX: snapd vulnerability," Ubuntu Security Team, 2026. [Online]. Available: https://ubuntu.com/security/notices

[6] Snapcraft, "snap version Command," Canonical, 2026. [Online]. Available: https://snapcraft.io/docs/snap-version

[7] Canonical, "Checking snapd Version," Ubuntu Documentation, 2026. [Online]. Available: https://ubuntu.com/server/docs/snap-updates

[8] Ubuntu, "Updating Ubuntu," Ubuntu Documentation, 2026. [Online]. Available: https://ubuntu.com/server/docs/package-management

[9] Canonical, "When to Reboot After Updates," Ask Ubuntu, 2026. [Online]. Available: https://askubuntu.com/questions/xxxxxxx

[10] Snapcraft, "Verifying Snap Updates," Canonical, 2026. [Online]. Available: https://snapcraft.io/docs/snap-updates

[11] OWASP, "Race Condition Vulnerabilities," OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-community/vulnerabilities/Race_Conditions

[12] CISA, "Keeping Systems Updated," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/keeping-systems-updated

[13] NIST, "Principle of Least Privilege," National Institute of Standards and Technology, 2025. [Online]. Available: https://www.nist.gov/itl/least-privilege

Need help securing your Ubuntu systems? lilMONSTER helps small businesses patch vulnerabilities and stay secure. Get help →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation